Author Topic: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK  (Read 13610 times)

0 Members and 1 Guest are viewing this topic.

Chrisatrax

  • Guest
Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« on: April 22, 2008, 04:32:50 PM »
Hi Folks

This morning my Avast found a trojan with "TheatFire" (from PC Tools) for the 1st time. I am assuming this is false. Here is the Avast warning.

=====================
Event Type:   Warning
Event Source:   avast!
Event Category:   Client
Event ID:   90
Date:      04/22/2008
Time:      06:24:00 AM
User:      N/A
Computer:   CHRISTOPHER1
Description:
Sign of "Win32:Rbot-FTK [trj]" has been found in "C:\Program Files\ThreatFire\TFMisc.dll" file.

======================================================================

ThreatFire is a rootkit finder/stopper that I have used for quite sometime without any problems of threats. I am curious if anyone else has had this trojan found. I did not delete or put this "TFMisc.dll" in the chest.

Thanks, Christopher

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #1 on: April 22, 2008, 05:12:35 PM »
Maybe you could test TFMisc.dll with www.virustotal.com
If it is clean, you can add it to avast Exclusion lists.
Sorry if I'm saying what you've already know...
Similar thread: http://forum.avast.com/index.php?topic=34950.0
The best things in life are free.

Offline misak

  • Moderator
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #2 on: April 22, 2008, 05:19:13 PM »
False positive alert Win32:Rbot-FTK [trj] in file TFMisc.dll will be fixed in next VPS update

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #3 on: April 22, 2008, 05:27:02 PM »
@ Misak
You might want to take a look at this one while you are on the forums, http://forum.avast.com/index.php?topic=34949.msg293448#msg293448. Probable FP on a shockwave.com download.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Firebytes

  • Guest
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #4 on: April 22, 2008, 07:08:28 PM »
I came home today after bieng gone 24 hours and updated my programs. After I rebooted TF would not load, it just said "Initiating" and it's icon couldn't be clicked on, etc. I thought it might have been a glitch at boot so I rebooted. This time avast! indicated that it found a trojan in TFMisc.dll  "Win32:Rbot-FTK [trj]" (reported to be a false positive by PC Tools TF). I initially had quarantined the file but after submitting it to avast and checking at PC Tools I restored it.

What I have discovered is that after restoring the file and rebooting avast did not detect it again. However TF would still not load. I went into avast's troubleshooting section and set avast to "Delay loading of avast! services after other system services" and rebooted. TF will now load to a normal state although it does show the "initiating" indicator for a few seconds first. I tested again by setting avast to load normally and rebooted and avast killed TF again. Resetting avast to delay loading and rebooting again solved the problem.

So as a work around until this is fixed, if you want to you can make avast delay loading and TF will load.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #5 on: April 22, 2008, 07:17:47 PM »
You should exclude the file from scanning until the FP is corrected, rather than delay the start of avast as that is no guarantee that it won't get in before threatfire and detect it.

See http://forum.avast.com/index.php?topic=34950.msg293451#msg293451.
« Last Edit: April 22, 2008, 07:20:42 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Firebytes

  • Guest
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #6 on: April 22, 2008, 07:38:02 PM »
You should exclude the file from scanning until the FP is corrected, rather than delay the start of avast as that is no guarantee that it won't get in before threatfire and detect it.

See http://forum.avast.com/index.php?topic=34950.msg293451#msg293451.

On my system even when avast! doesn't detect the file it still won't allow TF to load normally unless I set avast! to delay loading.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #7 on: April 22, 2008, 07:47:32 PM »
If avast isn't physically detecting it, whether or not it is loading as normal or delayed, then avast isn't stopping it, there is something else in the loop. As the post on the TF Forum indicates another has excluded the file and that was the only solution that worked for him, http://www.pctools.com/forum/showpost.php?s=b295c5604cce9ed7b276eefaa80ee358&p=183034&postcount=13

avast! doesn't block but scans and alerts if if infection is found.

When avast first detected this what action did you take ?
If you said ignore/no action, I don't know if that might have any future impact, but it shouldn't.

What other security software do you have ?
« Last Edit: April 22, 2008, 07:51:29 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Firebytes

  • Guest
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #8 on: April 22, 2008, 08:01:01 PM »
I answered for avast to "Continue" when it issued the alert since I was sure it was a false positive, so maybe it is already excluding the file? I still couldn't get TF to load normally without delaying avast startup though. The only realtime protections I am running are avast! and TF.

Firebytes

  • Guest
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #9 on: April 22, 2008, 08:20:34 PM »
OK, DavidR, you were correct that excluding the TF folder from being scanned did correct the problem. Avast wasn't detecting the file on my system after I answered the initial prompt so I thought it wasn't that interfering with it. I excluded the file from scanning and allowed avast! to start normally and it did allow TF to run normally. Sorry for my error.  :-[

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #10 on: April 22, 2008, 09:14:09 PM »
The Continue action, as you have found won't cut it as no matter what avast won't allow an infected/detected file to be executed, even if you chose continue/no action, etc. (it simply isn't going to let you get infected by allowing you to run the file, assuming it isn't an FP as in this case).

Don't exclude the complete TF folder as that could leave a hole in your security, you should just exclude the specific file being detected.
« Last Edit: April 22, 2008, 09:34:26 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #11 on: April 22, 2008, 09:23:14 PM »
In fact, my personal experience is that ThreatFire has a bad integration - too aggressive - into the system. I have very bad experiences using Firefox, installing extensions... I've install software very often and ThreatFire messes its installation, i.e., it does its job alerting you but it does not allow normal functions of the computer without alerting you... this is not good.
The best things in life are free.

Firebytes

  • Guest
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #12 on: April 22, 2008, 11:07:47 PM »
I just updated my definitions and avast! no longer detects the file. TF loads fine again without excluding any of it's files. Thanks for the fast work avast! team.  ;D

As far as TF goes, I have never had any problems with it and Firefox, extensions, or any other program, but I do usually suspend TF when installing a program I trust. Avast! I leave running though.

Again, thanks for the assistance and the quick fix.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #13 on: April 22, 2008, 11:44:54 PM »
Thanks for the feedback, if you haven't already done so you can remove the exclusions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

smc1979

  • Guest
Re: Avast finds - ThreatFire\TFMisc.dll - Win32:Rbot-FTK
« Reply #14 on: April 28, 2008, 10:47:01 PM »
Edit - oops wrong topic!
« Last Edit: April 29, 2008, 12:13:31 AM by smc1979 »